[selinux-policy: 1683/3172] from Dan: This is a new policy for the User Switching capability coming in gnome.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:30:30 UTC 2010
commit c224d91c7bdc13f0effa9e036fcf31248d3a2208
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Mar 19 18:01:15 2007 +0000
from Dan:
This is a new policy for the User Switching capability coming in gnome.
consolekit is a daemon that communicates with xdm_t and hal through dbus to change the
ownership/access on certain devices when the login session changes from one user to another
Changelog | 2 +
policy/modules/services/consolekit.fc | 1 +
policy/modules/services/consolekit.if | 40 +++++++++++++++++++++++++++
policy/modules/services/consolekit.te | 49 +++++++++++++++++++++++++++++++++
policy/modules/system/unconfined.te | 6 +++-
5 files changed, 97 insertions(+), 1 deletions(-)
---
diff --git a/Changelog b/Changelog
index 5f37eed..b831d81 100644
--- a/Changelog
+++ b/Changelog
@@ -32,6 +32,8 @@
- Clean up file context regexes in apache and java, from Eamon Walsh.
- Patches from Dan Walsh:
Thu, 25 Jan 2007
+- Added modules:
+ consolekit (Dan Walsh)
* Tue Dec 12 2006 Chris PeBenito <selinux at tresys.com> - 20061212
- Add policy patterns support macros. This changes the behavior of
diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc
new file mode 100644
index 0000000..e8268f8
--- /dev/null
+++ b/policy/modules/services/consolekit.fc
@@ -0,0 +1 @@
+/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
new file mode 100644
index 0000000..0c123a3
--- /dev/null
+++ b/policy/modules/services/consolekit.if
@@ -0,0 +1,40 @@
+## <summary>Framework for facilitating multiple user sessions on desktops.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run consolekit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`consolekit_domtrans',`
+ gen_require(`
+ type consolekit_t, consolekit_exec_t;
+ ')
+
+ domtrans_pattern($1,consolekit_exec_t,consolekit_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## consolekit over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_dbus_chat',`
+ gen_require(`
+ type consolekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 consolekit_t:dbus send_msg;
+ allow consolekit_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
new file mode 100644
index 0000000..61e6f51
--- /dev/null
+++ b/policy/modules/services/consolekit.te
@@ -0,0 +1,49 @@
+
+policy_module(consolekit,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type consolekit_t;
+type consolekit_exec_t;
+init_daemon_domain(consolekit_t, consolekit_exec_t)
+
+########################################
+#
+# consolekit local policy
+#
+
+allow consolekit_t self:capability { sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:process getsched;
+allow consolekit_t self:fifo_file rw_fifo_file_perms;
+allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_read_urand(consolekit_t)
+dev_read_sysfs(consolekit_t)
+
+domain_read_all_domains_state(consolekit_t)
+domain_use_interactive_fds(consolekit_t)
+
+files_read_etc_files(consolekit_t)
+
+init_use_script_ptys(consolekit_t)
+
+libs_use_ld_so(consolekit_t)
+libs_use_shared_libs(consolekit_t)
+
+miscfiles_read_localization(consolekit_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(consolekit_t)
+ term_dontaudit_use_generic_ptys(consolekit_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client_template(consolekit, consolekit_t)
+ dbus_send_system_bus(consolekit_t)
+ dbus_connect_system_bus(consolekit_t)
+
+ hal_dbus_chat(consolekit_t)
+')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 19df0fb..4e689b4 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined,1.5.1)
+policy_module(unconfined,1.5.2)
########################################
#
@@ -80,6 +80,10 @@ ifdef(`targeted_policy',`
')
optional_policy(`
+ consolekit_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
cups_dbus_chat_config(unconfined_t)
')
More information about the scm-commits
mailing list